Mitel Product Security Advisory OBSO-2407-03

Unify OpenScape 4000 Assistant and Unify OpenScape 4000 Manager Command Injection Vulnerability

Advisory ID: OBSO-2407-03

Publish Date: 2024-07-17

Last Updated: 2024-07-17

Revision: 1.0

 

Summary

A command injection vulnerability in the Unify OpenScape 4000 Assistant and Unify OpenScape 4000 Manager, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit of this vulnerability could allow an attacker to execute arbitrary commands within the container of the impacted component, with a potential impact on the confidentiality, integrity, and availability of the system.

The vulnerability severity is rated as critical. 

Credit and thanks are extended to Dr. Oliver Matula, Tim Kornhuber and Andreas Wagner of DB Systel GmbH for highlighting this issue and bringing it to our attention.

 

Affected Products

Product statements are related only to supported product versions. Products which have reached End of Support (M44) status are not considered. 

Products confirmed affected

 

Risk Assessment

CVSS3.1 Base score: 9.8 (Critical)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Mitigation / Recommended Action

Customers with affected product versions are advised to update the systems with the available fixes

 

Revision History

Version Date Description
1.0 2024-07-17 Initial release


Advisory: OBSO-2407-03, status: general release
Security Advisories are released as part of Mitel Unify's Vulnerability Intelligence Process. For more information see https://www.mitel.com/support/security-advisories.

Contact and Disclaimer

Mitel Product Security Office
[email protected]
© Unify Software and Solutions GmbH & Co. KG 2024
Otto-Hahn-Ring 6
D-81739 München
www.mitel.com


The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice.
Unify, OpenScape, OpenStage and HiPath are registered trademarks of Unify Software and Solutions GmbH & Co. KG.

All other company, brand, product, and service names are trademarks or registered trademarks of their respective holders
Ready to talk to sales? Contact us.